[Virus Alert] 4 new worms found
Worm name: TROJ_DELF.WH
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
We would like to know what you think about the Behavior Diagram, our latest Virus Encyclopedia feature. Please click here to send us your comments, suggestions, or feedbacks.
This memory-resident Trojan may be downloaded from the Internet by unsuspecting users. It may also arrive as a dropped file of other malware programs. Moreover, it may arrive as an attachment to a spammed email message.
As a result, routines of the aforementioned malware programs are also exhibited on the affected machine.
Worm name: BKDR_PROSTI.AA
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This backdoor application arrives on a system either as a downloaded file from the Internet or as an attachment to an email message manually mass-mailed by a malicious user.
When executed, it drops several components in the hardcoded path, C:\WINDOWS\Media.
This backdoor application uses its backdoor component, LSASS.EXE, and opens port 6699 to wait for a remote malicious user to access and gain virtual control over the said system. This routine compromises system security and opens the affected machine to further attacks.
Worm name: WORM_SCANO.AB
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This worm spreads by attaching a copy of itself to email messages, which it sends to target addresses using its own Simple Mail Transfer Protocol (SMTP) engine.
The use of its own SMTP engine improves the propagation method of this worm since it does not require other messaging applications to send the following email message:
Note that the said files are encrypted and may contain other URLs, where this worm can download other malicious files.
Worm name: BKDR_BREPLIBOT.Z
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This backdoor program arrives on a system as an attachment to a spammed email message. The said attachment uses the file name PHOTO AND ARTICLE.EXE. It may also arrive on the system either as a downloaded file from a malicious Web site that an unsuspecting user visits, or as a dropped file of other malware.
It opens a random TCP port, and joins a particular Internet Relay Chat server to wait for commands from a remote malicious user. Some of its capabilities include deleting, downloading, and executing files. It performs the said routines locally on the affected system, thus compromising system security.
Furthermore, it bypasses the firewall settings of the affected system so that can perform its routines without being blocked. Thus, making its detection and removal difficult.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
